App Engine Requirement

Previously, all Firestore databases were linked to an App Engine app. When linked, your database requires an active App Engine app in the same project. Without the active App Engine app, read and write access to the database is disabled.

Firestore databases are now provisioned unlinked from App Engine by default.

If your database is linked to an App Engine, you can unlink your database.

Active App Engine

An active App Engine app means that an app exists in the same project and that this app is not disabled. It does not require that app to have any usage. The linked app and database must exist in the same region.

If you disable your App Engine app, you also disable access to the Firestore database linked to that app.

You can check the App Engine unlink state using the REST API:

curl  --header "Authorization: Bearer $(gcloud auth print-access-token)" \
--header "Content-type: application/json" \
"https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)"

In the response, look at the value of appEngineIntegrationMode. If the value is DISABLED, your database is not linked to an App Engine app.

If you disable a linked App Engine app, you also disable read and write access to your database. If this happens, the Firestore Data page in Google Cloud console presents the option to unlink your database from the App Engine app. Click Unlink Database to begin the process.

Go to Firestore Data

You can also unlink your database using the REST API:

curl -X PATCH \
--header "Authorization: Bearer $(gcloud auth print-access-token)" \
--header "Content-type: application/json" \
--data '{"app_engine_integration_mode": "DISABLED"}' \
"https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)?updateMask=appEngineIntegrationMode"

When you unlink your database, you can disable App Engine without affecting access to your database. Unlinking is a permanent operation. It may take up to five minutes for the unlinking operation to take effect.

Migrating Terraform App Engine Resources

If you previously managed Firestore databases via the google_app_engine_application Terraform resource, you can use the google_firestore_database Terraform resource instead.

For general instructions on managing Firestore databases via Terraform, see Automating database creation.

Create a google_firestore_database resource

In your Terraform configuration file, create a new google_firestore_database resource:

firestore.tf

resource "google_firestore_database" "database" {
  project     = "project"
  name        = "(default)"
  location_id = "location"
  
  type = "database_type" // either "FIRESTORE_NATIVE" or "DATASTORE_MODE"
  
  app_engine_integration_mode = "DISABLED"

  // Optional, but recommended for safety
  delete_protection_state = "DELETE_PROTECTION_ENABLED"
}

See Firestore locations for the list of available locations. Choose the location corresponding to that of your existing database.

Import the existing Firestore database

First, ensure that the Firestore API is enabled.

Next, import the existing Firestore database into your Terraform state:

terraform import google_firestore_database.database "(default)"

Next, run:

terraform plan

Inspect the output to ensure the import completed successfully. If the output shows any fields changing, ensure these changes are intended. If the output includes a line similar to:

google_firestore_database.database must be replaced

then inspect your Terraform configuration file to see if there were any mistakes, particularly in the project, location, or name fields, and then run terraform plan again. Any fields that are requiring Terraform to replace your database will be marked with # forces replacement in the plan output.

Once you are satisfied with the Terraform plan output, run:

terraform apply

Removing the google_app_engine_application resource

If you have an existing google_app_engine_application resource in your Terraform configuration file, remove it from that file now.

Afterwards, once again run:

terraform plan

You should see output similar to the following:

Terraform will perform the following actions:

  # google_app_engine_application.app will be destroyed
  # (because google_app_engine_application.app is not in configuration)

Once you are satisfied with the plan output, run

terraform apply

Terraform does not currently support deletion of App Engine resources; although Terraform will show the resource as being destroyed, it will not actually delete the App Engine application. However, the App Engine application will no longer be managed by Terraform.

Firestore API Requirement

Previously, all Firestore databases were linked to an App Engine app. Firestore databases are now provisioned unlinked from App Engine by default. Additionally, all databases, both existing and newly created, now have the following requirements:

  • To manage your database from the Google Cloud console and the gcloud CLI, the Firestore API must be enabled in the project. This is required for both Firestore in Native mode and Firestore in Datastore mode databases.
  • When executed from the Google Cloud console or the gcloud CLI, the administrative operations below will require the following IAM permissions:

    • Create database: datastore.databases.create
    • View database metadata: datastore.databases.getMetadata
    • Edit database metadata: datastore.databases.update

Predefined roles such as Datastore User and Datastore Viewer include the required permissions. If you created any custom IAM roles, you may need to update them to include the permissions above.

If you previously defined a custom role for Datastore, it might lack the datastore.databases.getMetadata permission. Ensure continued access by updating your custom roles with datastore.databases.getMetadata or by using a predefined role.

Enabling the API via Terraform

If you wish, you can also enable the Firestore API via Terraform:

resource "google_project_service" "firestore" {
  project = "project"
  service = "firestore.googleapis.com"
}

If you have a google_firestore_database resource, you can add a dependency on the google_project_service resource to ensure that the API is enabled before Terraform attempts to create the database:

resource "google_firestore_database" "database" {
  // ...
  depends_on = [google_project_service.firestore]
}